b"MEMORANDUM\n\n\nTO            :      Norma V. Cant\xc3\xba\n                     Assistant Secretary\n                     Office for Civil Rights\n\nFROM          :      John P. Higgins, Jr.\n                     Acting Assistant Inspector General\n                     Analysis and Inspection Services\n\nSUBJECT       :      Results of the OIG Review of OCR's Interna l Controls Over the\n                     Procurement of Goods and Services (A&I 2000-007)\n\n\nINTRODUCTION\n\nThis memorandum transmits our review results of OCR\xe2\x80\x99s internal controls over the\nprocurement of goods and services. This review is part of OIG's Department-wide\nreview of this area. The Department\xe2\x80\x99s management is responsible for establishing and\nmaintaining internal controls. We will transmit the Department-wide results to the\nDeputy Secretary with copies to the Assistant Secretaries and other senior staff when we\ncomplete our review. On July 27, 2000, OIG staff met with you and your Special\nAssistant, John Jackson, to discuss the results of this review. Following that meeting,\nOIG staff also met with members of the OCR procurement staff to discuss the review.\n\nRESULTS\n\nBased on our review, we identified certain deficiencies that prevent OCR from fully\nsatisfying GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government. For your\ninformation and corrective action, we listed those deficiencies in the attached chart\n(Attachment A). In the future, we anticipate conducting a follow-up review to assess\nactions you have taken to satisfy GAO\xe2\x80\x99s Standards for Internal Control in the Federal\nGovernment .\n\nIn addition, we want to advise you and OCR managers of inherent vulnerabilities we\nidentified in two Department procurement systems.\n\n\xc3\xbc Purchase Cards \xe2\x80\x93 For efficiency reasons, the Department designed a purchase card\n  system where cardholders can order, receive and approve payments for goods and\n  services. Consequently, as a control, the Department established approving officials\n\x0c   to review the use of purchase cards. Therefore, it is important that approving officials\n   properly review all cardholder statements, including invoices, before forwarding them\n   to OCFO for payment.\n\n\xc3\xbc Third Party Draft System (TPDS) \xe2\x80\x93 An individual with signature authority can issue\n  TPDS checks without the involvement of anyone else. Therefore, it is important that,\n  at a minimum, the supervisor of the individual with signature authority conduct\n  periodic reviews of TPDS disbursements.\n\nDuring our review, we noted that some OCR employees assigned purchase cards are\nbelow the minimum grade level (GS-9) required to receive annual ethics training.\nBecause of their procurement responsibilities, we believe that ethics training would\nbenefit these employees. Management should require them to attend annual ethics\ntraining.\n\nOBJECTIVE\n\nOur review objective was to assess the internal controls over compliance with laws and\nregulations for the procurement of goods and services other than studies or evaluations.\n\nSCOPE\n\nWe limited our work to procurements in Washington, D.C. (Headquarters) using the\nThird Party Draft System and purchase cards. We did not conduct testing on OCR\xe2\x80\x99s\ncontracting practices or use of the \xe2\x80\x9cCorporate\xe2\x80\x9d Government Travel Account.\n\nMETHODOLOGY\n\nTo achieve our objectives, we interviewed OCR staff involved with procurement\nprocesses and reviewed relevant documents. As part of our work, we reviewed samples\nof TPDS checks and purchase card transactions. For TPDS, we selected a sample of 50\nTPDS checks issued between October 1998 through September 1999 (FY 1999) and\nOctober 1999 through February 2000 (FY 2000). OCR has four cardholders located in\nheadquarters. One of those cardholders had no activity during the period covered by our\nreview. We judgmentally selected a sample of 18 card statements belonging to the three\ncardholders with activity during the period we were reviewing. We then selected 50\npurchases to review for periods ending October 16, 1998 and February 16, 2000. In\nselecting our sample, we did not include any transactions dated prior to October 1, 1998.\nWe also reviewed OCR\xe2\x80\x99s monthly card statements included in OCFO\xe2\x80\x99s files for\nSeptember 1999 and March 2000.\n\nWe based our conclusions about OCR's internal controls on information gathered during\ninterviews and transaction testing. We conducted our interviews and transaction testing\nbetween May 3, 2000 and July 3, 2000. We assessed OCR's internal controls based on\nGAO's Standards for Internal Control in the Federal Government issued November\n1999. Attachment B to this memorandum contains a summary of the GAO Standards.\n\x0cWe conducted our work in accordance with the President's Council on Integrity and\nEfficiency (PCIE) Quality Standards for Inspection dated March 1993.\n\nWe appreciate the cooperation shown by your staff during our review. If you have any\nquestions regarding the results of this review, please call me at 205-5439.\n\n\nAttachments\n\n\ncc:   Deputy Secretary\n\x0c                                                                          Attachment B\n\n          GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government\n                        Components of Internal Control\n\n\xe2\x80\xa2   Control Environment \xe2\x80\x93 Management and employees should establish and maintain\n    an environment throughout the organization that sets a positive and supportive\n    attitude toward internal controls and conscientious management.\n\n    Factors:\n\n    3 Management and staff maintain and demonstrate integrity and ethical values.\n\n    3 Management maintains an active commitment to competence.\n\n    3 Management\xe2\x80\x99s philosophy and operating style exerts a positive influence on the\n      organization (especially toward information systems, accounting, personnel\n      functions, monitoring and audits).\n\n    3 Organizational structure is appropriately centralized or decentralized, and\n      facilitates the flow of information across all activities.\n\n    3 Agency delegates authority and responsibility and establishes related policies\n      throughout the organization in a manner that provides for accountability and\n      control.\n\n    3 Agency establishes human resource policies and practices that enable it to recruit\n      and retain competent people to achieve its goals.\n\n\xe2\x80\xa2   Risk Assessment \xe2\x80\x93 Internal controls should provide for an assessment of the risks the\n    agency faces from both external and internal sources.\n\n       Precondition: establishment of clear and consistent agency objectives.\n\n       Risk assessment : the comprehensive identification and analysis of relevant risks\n       associated with achieving agency objectives, like those defined in strategic and\n       GPRA annual performance plans, and forming a basis for determining how the\n       agency should manage risks.\n\n       Risk identification: methods may include qualitative and quantitative ranking\n       activities, management conferences, forecasting and strategic planning, and\n       consideration of findings from audits and other assessments.\n\n       Risk analysis: generally includes estimating the risk\xe2\x80\x99s significance, assessing the\n       likelihood of its occurrence, and deciding how the agency should manage its risk.\n\x0c\xe2\x80\xa2   Control Activities \xe2\x80\x93 Internal control activities help ensure that employees carry out\n    management directives. The control activities should effectively and efficiently\n    accomplish agency control objectives.\n\n    3 The control activities are the policies, procedures, techniques, and mechanisms\n      that enforce management\xe2\x80\x99s directives. They help ensure that employees take\n      actions to address risks.\n\n    3 Control activities occur at all levels and functions of the entity, and include a wide\n      range of diverse activities such as approvals, authorizations, verifications,\n      reconciliations, performance reviews, maintenance of security, and creation and\n      maintenance of related records that document the execution of these activities.\n\n\xe2\x80\xa2   Information and Communications \xe2\x80\x93 Employees should record and communicate\n    information to management and others within the entity who need it in a form and\n    within a time frame that enables them to carry out their internal control (and other)\n    responsibilities effectively and efficiently.\n\n    3 An organization must have relevant, reliable, and timely communications relating\n      to internal as well as external events. Information is needed throughout the\n      agency to achieve all its operational and financial objectives.\n\n    3 Effective communications should occur in a broad sense with information flowing\n      down, across, and up the organization.\n\n    3 Management should ensure there are adequate means of communicating with, and\n      obtaining information from, external stakeholders that may have a significant\n      impact on the agency achieving its goals.\n\n\xe2\x80\xa2   Monitoring \xe2\x80\x93 Internal control monitoring should assess the quality of performance\n    over time and ensure that audit and other review findings are promptly resolved.\n\n    3 Includes regular management and supervisory activities, comparisons,\n      reconciliations, and other actions employees take in performing their duties.\n\n    3 Should include policies and procedures for ensuring that audit and other review\n      findings are promptly resolved.\n\x0cInternal Control Evaluation Form for the Office for Civil Rights                                             Attachment A\n\nControl Component     Deficiencies\nControl Environment   \xe2\x80\xa2 Assignment of Authority \xe2\x80\x93 According to OCFO records, four cardholders need warrants because their\n                         spending limits are in excess of $2,500.\n\nRisk Assessment       \xe2\x80\xa2   Identification of Risks \xe2\x80\x93 Although OCR conducts self-evaluations in certain procurement areas, formal\n                          risk assessment procedures have not been established.\n                      \xe2\x80\xa2   Identification of Risks \xe2\x80\x93 One procurement staff member has been assigned a moderate risk level\n                          although the employee\xe2\x80\x99s responsibilities suggest a high risk level is more appropriate. Another staff\n                          member has been assigned a low risk level although the employee\xe2\x80\x99s responsibilities suggest a moderate\n                          risk level is more appropriate.\n\nControl Activities    \xe2\x80\xa2   Policies and Procedures \xe2\x80\x93 Although required by the Department\xe2\x80\x99s Directive on Commercial Credit Card\n                          Service (C:FIM:6-102) dated March 12, 1990, OCR has no written purchase card policies and\n                          procedures.\n                      \xe2\x80\xa2   Approval \xe2\x80\x93 We reviewed the September 1999 and March 2000 OCR card statements from OCFO files.\n                          Our purpose was to verify that OCR had submitted all its monthly card statements with purchases to\n                          OCFO, and that the Approving Official had signed the statements.\n                                \xc3\xbc Fifteen cards had activity in September 1999. Statements for six of those cards were missing\n                                    from the OCFO files. Of the nine statements available for review, the Approving Official had\n                                    not signed five.\n                                \xc3\xbc Sixteen cards had activity in March 2000. Statements for all sixteen cards were in the OCFO\n                                    files. Of the sixteen statements, the Approving Official had not signed one.\n                      \xe2\x80\xa2    Recordkeeping \xe2\x80\x93 From a sample of 50 purchase card charges, OCR was unable to provide receipts for\n                           15 charges. Nine of these charges were for more than $400, including two that were larger than $1,400.\n                      \xe2\x80\xa2    Recordkeeping \xe2\x80\x93 Four purchase card charges in FY 1999 were assigned EDCAPS IMPAC numbers;\n                           however, those IMPAC numbers did not appear on the EDCAPS IMPAC Report. OCR was unable to\n                           explain why the transactions did not appear on the EDCAPS report.\n\x0c                 \xe2\x80\xa2 Policies and Procedures \xe2\x80\x93 The Department strongly encourages all principal offices to maximize\n                   purchase card use, because each card usage saves ED substantial processing costs as opposed to other\n                   payment mechanisms . In FY 1999, OCR issued 107 TPDS checks to the USDA Graduate School despite\n                   their acceptance of purchase card payments. At the time of our review, OCR had issued four (4) TPDS\n                   checks in FY 2000 to the USDA Graduate School. OCR should only issue TPDS checks when the\n                   vendor will not accept the purchase card.\n                 \xe2\x80\xa2 Recordkeeping \xe2\x80\x93 We reviewed a sample of 50 TPDS checks. Of these 50, OCR was unable to provide\n                   supporting documentation for three (3) checks. The amounts of these checks were $885, $210, and $117.\n                 \xe2\x80\xa2 Procedures \xe2\x80\x93 Of the 50 TPDS checks we reviewed, OCR did not pay five (5) within the time\n                   requirements of the Prompt Payment Act. All the late payments occurred in FY 1999. In addition, we\n                   noted two instances where the purchase card was used to pay an invoice that was overdue. Both of these\n                   instances also occurred in FY 1999. OCR staff told us that they had made improvements to their TPDS\n                   procedures since last year including requiring a procurement processing form and implementing a\n                   database to track invoices.\n                 \xe2\x80\xa2 Recordkeeping \xe2\x80\x93 OCR did not maintain a log to track TPDS checks assigned to the office. Such a log\n                   would allow OCR to identify any missing checks.\n\nInformation &    \xe2\x80\xa2   Communication of Key Information \xe2\x80\x93 The procurement staff we interviewed were not familiar with the\nCommunications       Department\xe2\x80\x99s Directive on Commercial Credit Card Service.\n\nMonitoring       \xe2\x80\xa2   On-going Monitoring \xe2\x80\x93 The supervisor of the individual with signature authority for TPDS checks does\n                     not perform periodic reviews of EDCAPS reports of checks issued by OCR.\n\x0c"